Preventing a HTTP bruteforcing attack

Question

So, I have a PHP script that takes a users 'key' and checks if it is valid. I don't want them to be able to submit the form after 3 failed attempts.

I had the idea of using cookies, but since they are client side they can be flushed so it appears as the first attempt to my script. Also using sessions but since they expire after a session. It would be easy to bypass. The program doesn't require a DB and I would like to avoid it if possible.

I also thought of requiring a captcha in order to submit the form. Is that the best option? I look forward to hearing your suggestions.

Answer 1

How about adding a string to url/cookie, with current time, attempt number, and some hash of these. Like that, reusing the previous such string won't work because of time check, and generation of such string would require reverse-engineering of hash function by samples, which is very hard.

Answer 2

Since you obviously already store user and key, keep track on failed attempts, too. Make this per user, not per session, since it's easy enough for the attacker to pretend being a new connection every time. With this information you can have the login attempt take exponential longer.

If you also keep track of when the last failed attempt was, you can use it to decrease failed attempts over time.

If you aren't sure you want to use a captcha, perhaps it's an idea to use it after the first failed attempt.

Answer 3

I would suggest an external captcha service like recaptcha: http://www.google.com/recaptcha/learnmore

emphasis on external

Answer 4

IP address REMOTE_ADDR and referrer HTTP_REFERER check using $_SERVER or Captcha sound good. A mix of all is most effective.